GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.


  1. Tomi Engdahl says:

    EU parliament calls for Privacy Shield to be pulled until US complies

    The European Parliament has been making its presence felt today. As well as reopening democratic debate around a controversial digital copyright reform proposal by voting against it being fast-tracked, MEPs have adopted a resolution calling for the suspension of the EU-US Privacy Shield.

    The parliamentarians’ view is that the data transfer mechanism does not provide the necessary ‘essentially equivalent’ data protection for EU citizens — and should therefore be suspended until US authorities come into compliance.

    “Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms”

    The mechanism is currently used by more than 3,300 organizations to authorize transfers of personal data from the EU to the US, including the likes of Facebook, Google, Microsoft, Amazon and Twitter

    The EU-US Privacy Shield is not yet two years old but has always been controversial

    Privacy Shield was only officially adopted in July 2016, but EU lawmakers have been getting increasingly unhappy because core components of the framework have been left hanging by US authorities.

    “The Cloud Act could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws,”

    Facebook-Cambridge Analytica data misuse scandal. Europeans’ data was among the up to 87M compromised accounts related to that scandal.

    Any sanction or removal from the framework depends on US authorities judging an entity to have breached its obligations under the framework — and taking action.

    The continued presence of any entity on the Privacy Shield list that has demonstrably failed to safeguard EU citizens’ personal data must raise serious questions over how much actual protection the framework affords.

    However only the European Commission can suspend the Privacy Shield mechanism itself.

    And the Commission continues to stand behind the framework it worked with the US to shape and negotiate.

    There’s a wild card here too though: Privacy Shield is now facing serious legal questions in Europe

  2. Tomi Engdahl says:

    AI spots legal problems with tech T&Cs in GDPR research project

    Technology is the proverbial double-edged sword. And an experimental European research project is ensuring this axiom cuts very close to the industry’s bone indeed by applying machine learning technology to critically sift big tech’s privacy policies — to see whether AI can automatically identify violations of data protection law.

  3. Tomi Engdahl says:

    German Court Issues First GDPR Ruling

    The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

  4. Tomi Engdahl says:

    GDPR “Great Data Protection Rocks”?

  5. Tomi Engdahl says:

    Super Robot to the rescue! How robots can help you be GDPR compliant.

    Winter might be over, but GDPR is here! If you’re been hibernating to avoid what that entails, it’s time to sort things out, with some help from software robots!

  6. Tomi Engdahl says:

    You Should Still Care About GDPR

    GDPR Forces Companies to Examine How They Treat Data

    In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to.

    In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.


Leave a Comment

Your email address will not be published. Required fields are marked *